Featured Home Page Discussion

Chrome 68 will mark all HTTP sites "not secure"

Senior Member

joined:Sept 25, 2005
posts:1673
votes: 239

For the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. And within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

Administrator from GB

joined:May 9, 2000
posts:25047
votes: 660

This is potentially very significant. That notification is really going to mean traffic drops if people actually look at it and understand it. If they misunderstand it, the message coule put people off thinking they may have problems with the site. I suspect many will not actually click through to a site in the SERPs.

New User

joined:Nov 18, 2017
posts:2
votes: 0

I have a question: Most of my old sites are HTTP and all my backlinks are pointing to HTTP. However I have WHM/CPanel in my Servers and I enabled the AutoSSL/LetsEncrypt already. I do know i type https:// then it would work, but I still don't know how to transfer the HTTP to HTTPS smoothly, with the ranking and backlinks... Could anyone teach me about this please?

Senior Member

joined:Aug 4, 2008
posts:3329
votes: 253

Well my http sites are still doing extremely well, as traffic from google for all of them has either held steady or continued to climb. I also see plenty of other http sites ranking at or near the top of google's search results.

On the other hand, there have been reports that some sites suffered traffic losses immediately after switching to https. Since some of this lost traffic goes to http sites, they get an additional benefit from this as well.

So the current climate is extremely good for http sites. Even so, I've started looking at options for eventually switching at least one of my sites to https.

I don't think switching to https would help traffic much, although Google said that it would be a "tie-breaker" in the search results. But I may want to sell some of my sites eventually, and that might be easier if they are https.

That's great... however this announcement appears that your HTTP site may not continue to do "extremely well" after July when Chrome warns your visitors. Don't forget, Chrome is the most used browser in the world, especially on mobile.

Senior Member

joined:Sept 25, 2005
posts:1673
votes: 239

Sorry, but that makes no sense at all.

It's an exaggeration, of course, but since dynamically generated pages are not cached, a CDN would introduce additional latency and increase the time-to-first-byte (TTFB). You might win back some of that time with faster loading static resources, especially if there are many of them (or particularly large ones), but in my experience a fast first paint will often do more to boost that sense of "snappiness". Ideally, of course, you would create your own CDN where all servers can generate those pages by themselves, but that can be tricky to set up and maintain.

Having a CDN take care of HTTPS for you is not a terrible idea, as they support HTTP/2 and many other optimizations out of the box, but it does create a dependency, and the link between your server and the CDN would technically still be insecure. With the exception of Cloudflare's free plan, bandwidth at CDNs also tends to be very expensive (I once calculated I would be paying 10x my current hosting fees).

Also worth noting is that sticking a CDN in front of your site to get HTTPS does not automatically resolve issues with redirects and mixed content, which is exactly the area where most site owners are likely to break things. A well-executed move to HTTPS will not negatively influence your rankings or cost you any traffic -- except maybe a handful of stubborn users on very old devices.

It's not beyond you. You just need to be more informed as to why HTTPS is to your benefit and to the benefit of so-called informational sites.

Anyone not adapting to SSL is willfully lagging behind in earnings and relevancy. They would switch to HTTPS if they knew how much HTTPS is to their benefit. Those who stubbornly resist change like SSL are literally self-defeating and digging their own Internet graves.

Senior Member from AU

My main site has already been HTTPS coming up 12 months which is not the point. There is ONLY one reason to switch over to HTTPS...

If you don't follow the browser direction to do so - you will be "punished" by the browsers. However Mr Google and other SE's will not improve your position in the SERPS for doing it, Mr AdSense will not send more relevant Ads to your content for doing it. There is no real reward for doing it except the browsers will not punish you.

Better security? I laugh when I here that now. Windows OS, and Browsers all have almost daily security updates simply because their products were defective to begin with.

I'm almost 76 years of age and historically I have always reacted very badly to "do this or be punished" type scenarios. Something I have never, ever had cause to regret at all. Sometimes, many years later I've found myself mighty glad I did...

Senior Member

joined:Feb 12, 2006
posts:2679
votes: 105

Every year google tells us we have to change our sites or suffer in the serps — it’s a different thing every year. At the moment it’s https, in the past it was amp, improve our page speed, make it responsive for mobile, remove half the ads, don’t swap links, delete all the links we swapped, don’t do guest posts, don’t do this don’t do that, and like sheep we do it. I wonder what they’ll have us doing next year.

Senior Member from US

joined:Apr 9, 2011
posts:14435
votes: 576

Even if the page content is static html, there may well be dynamic headers or footers. To the designer it's static; to the server it's dynamic. (Crude test: Check your server logs. Unless you find the occasional 304 responses to page requests, they're not really static.)

Senior Member

joined:June 28, 2013
posts:3100
votes: 594

Point is, a CDN is not a *fix* for not updating a site to be secure

My point was simply that at least one CDN makes it very easy for anyone (even the technically clueless) to switch from HTTP to HTTPS, so "It's too hard" or "There's too much risk of screwing it up" is no longer a valid excuse for lagging behind.